Thursday,
January 13th, 2000
Parklawn Building, Rockville Maryland
Background
The Department of Health and Human Services
(DHHS) recently proposed regulations for
both data security and privacy of individually
identifiable health information pursuant
to the Health Insurance and Portability
and Accountability Act of 1996 (HIPAA).
Under HIPAA, health care organizations,
provider plans, clearinghouses and organizations
they contract with are subject to a series
of technical and internal policy requirements
relating to administrative simplification,
security and privacy. Additionally, the
Interagency Committee for Medical Records
by the General Services Administration
has issued guidelines for video capture
devices.
The Office for the Advancement of Telehealth
(OAT), formerly part of the Office of
Rural Health Policy, Health Resources
and Services Administration, has funded
telemedicine demonstration programs since
1989 and has invested over $36 million
in telemedicine demonstration and evaluation
projects. Since OAT grantees will be subject
to pending federal data security and privacy
regulations, the Office decided to offer
a one-day seminar on Privacy issues and
HIPAA for its telemedicine grantees.
OAT believes that the move toward electronic
health records and the transmission of
sensitive patient data between and among
health system partners raises a number
of important issues. This issues include:
organizational risk, designing security
practices, organizing and maintaining
a security effort, enhancing provider
and patient understanding of privacy issues,
implementing a secure Internet environment,
and institutionalizing various roles and
responsibilities.
OAT is committed to helping its grantees
develop strategies that will help them
assess and address the security and privacy
threats they face, so that they may better
comply with new federal regulations while
at the same time improving their business
processes.
Seminar
On January 13th, 2000, OAT convened a
one-day seminar focused on privacy, security,
and confidentiality issues affecting telemedicine
grantees. Invited guests also included
representatives of the Federal Joint Working
Group on Telemedicine, and Federal health
care officials from several agencies including
HRSA, Indian Health Service, Food and
Drug Administration, National Institutes
of Health, Department of Defense, and
the Veterans Health Administration.
Presenters from academia, government,
and industry provided a wide perspective
on the legal, policy development, and
implementation considerations which most
health care organizations face.
The seminar goals were to:
- Review pending Congressional laws
and proposed DHHS administrative actions
pursuant to the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).
- Provide a high-level understanding
of the many concurrent processes and
players underway within government,
academia and industry working on solutions
to the problem.
- Determine a sequence of activities
to help position telemedicine grantees
and DHHS service delivery organizations
in compliance with likely legislation,
regulations, and /or industry imposed
quality or other standards.
- Identify immediate steps which telemedicine
programs, DHHS health care institutions,
and funded organizations should be taking
to ensure a more secure (and therefore
a more compliant) environment.
- Exemplify by way of case study, recent
successful programs whose experience
may prove invaluable to other telemedicine
efforts, DHHS organizations and institutions;
and otherwise help achieve the educational
goals and objectives of the Department
with regard to information security.
Presentations
Neal Neuberger, President of Health Tech
Strategies, LLC and Jeff Collmann, Ph.D.
of Georgetown University Medical Center
organized and facilitated the seminar.
Health Tech Strategies, LLC has produced
an extensive series of regional workshops
titled: Privacy, Security, and Confidentiality
of Medical Records: Complying With Sweeping
New HIPAA Requirements.
Dr. Collmann is the editor of the Computer-based
Patient Record Institute (CPRI )Toolkit,
Managing Information Security in Healthcare,
which provides up-to-date materials regarding
laws, rules and regulations as well as
model security policies and best practices
from major health care institutions throughout
the nation. Seminar organization and content
has been based on the CPRI Toolkit approach
toward building "security capable
organizations."
A brief summary of seminar presentations
follows:
Jeff Collmann, Ph.D
Georgetown University Medical Center,
ISIS Radiologic Imaging Center
Dr. Collmann presented an overview of
HIPAA’s requirements from the perspective
of telemedicine programs. He briefly discussed
the range of HIPAA Administrative Simplification
rules addressing electronic transactions
and code sets, and then, in more detail,
described the provisions contained in
pending data security and electronic signature
regulations and draft privacy rules. Dr.
Collmann discussed the need for good administrative
practices on the part of telemedicine
programs including the need for access
controls, contingency plans, internal
audits, personnel security, termination
procedures, training, and assign security
responsibilities within programs. He also
discussed risk assessment and management
as central to HIPAA compliance, and then
described by way of example, the Georgetown
ISIS Center security process. Likening
the issue to "Universal Precautions",
Dr. Collmann concluded that health information
security applies to everybody in the institution,
is part of the job, requires orientation
and annual training, should be a component
of annual review, and must be approached
with technological innovations in mind.
Shannah Koss
IBM Global Healthcare
Shannah Koss of IBM Health Care, Security
and Government Programs presented an overview
of HIPAA requirements, discussed steps
toward becoming HIPAA compliant, and outlined
risk assessment frameworks and approaches
that are a critical component of HIPAA
compliance. She reviewed a matrix discussing
various administrative procedures and
technical safeguards that institutions
should consider, and discussed the relative
importance of various approaches. She
started with a review of the draft regulations
in terms of what information is covered
under the rules, preemption, authorization
provisions, use and disclosure requirements,
contracts and business partner agreements,
notification, review and other regulatory
measures. Ms. Koss next described a checklist
that telemedicine and other programs should
begin addressing. Included among these
policies and procedures are establishing
physical safeguards, audit trails, proper
documentation, and cross-functional security
teams. Institutions need to begin with
a baseline security assessment, then perform
a "gap analysis", risk assessment,
identify available resources, develop
policies, begin implementing enterprise-wide
security solutions, establish high-level
administration support, and provide constant
auditing and documentation of their processes.
Jeremy E. Pierotti
Allina Health System
Jeremy E. Pierotti, Director, HIPAA Program,
Allina Health System discussed current
security structures and initiatives at
Allina including their management structure,
work plan, and risk assessment activities.
Their year 2000 security priorities center
around firewall security, identifying
and reviewing business partner relationships,
securing outbound Internet access, and
providing staff education. A HIPAA Program
Management Office has been established
and is implementing a work plan in stages
focused on risk assessment activities
based on a high-level impact assessment
grid, which Mr. Pierotti distributed at
the seminar. Allina anticipates that their
security program will be successful if
they can maintain senior management support,
solid program structure, thorough step-by-step
risk assessment, exceptional internal
communications, and adherence to project
management practices.
Jack Smith, Ph.D, M.D.
University of Texas, School of Allied
Health Sciences
Dr. Jack W. Smith, Chairman Health Informatics,
University of Texas, School of Allied
Health Sciences discussed developing and
implementing confidentiality and security
policies. Dr. Smith reported on the University’s
health security team, which includes broad
representation from interested and affected
parties including IT, Nursing, Pharmacy,
Physicians, Case Managers, Medical Records
Professionals, and the Chief Information
Officer. In a collaborative manner, the
team addresses potential problems having
to do with vendor selection, lack of appropriate
IT training among many key staff, unique
health problems and situations, and others.
Security in a large health organization
like UT is a "career" requiring
constant and ongoing attention by a full
range of professionals, since regulatory
bodies may be "clueless" and
there is a constant need to integrate
relations between disparate cultures,
economics, societal, and social norms
and information systems. Health information
security requires an interdisciplinary,
inter-professional approach and considerable
flexibility. Dr. Smith discussed the form
and function of his security team, and
then described a little bit about the
technologies they are using including
Public Key Infrastructure or "PKI".
Authentication techniques like digital
signatures which both authenticates the
sender and guarantees message integrity
are being used, along with encrypted E-mail,
access controls, and "Light Directory
Access Protocol" or "LDAP",
which is a general purpose, standards-based
directory service.
Stanley Nachimson
Health Care Financing Administration
Stanley Nachimson, Health Care Financing
Administration, discussed HIPAA provisions
relating to transactions, identifiers,
and security. Reviewing the efficiency
and effectiveness goals of the HIPAA Administrative
Simplification provisions, Nachimson briefly
described mandated standards including:
transaction standards like claims or equivalent
encounters; referral certification and
authorization; enrollment and disenrollment
in a health plan; claims status; and attachments.
Additional required standards include;
coordination of benefits information;
unique identifiers (including allowed
uses) for individuals, employers, health
plans, and health providers; code sets;
as well as security and privacy standards.
He then discussed the standards adoption
process in terms of pending rules, comment
periods, upcoming publications, and a
little about the current status of each
regulation.
John Parmagiani
Health Care Financing Administration
John Parmagiani, Director of Enterprise
Standards, HCFA, next described HCFA’s
Internet Security Policy which flows from
a policy memo generated in response to
intermediary questions in Region II. Basically,
HCFA Privacy Act and other sensitive HCFA
information will be protected under the
new policy which requires encryption as
well as authentication and identification.
The HCFA policy will mesh with HIPAA rules,
affects only data in transmission, and
is scalable. HCFA is working closely with
industry groups to gain support for workable
policies, including WEDI/AFEHCT organizations
which are modeling and testing current
policies.
John Fanning, LLB
Divison of Data Policy, ASPE, DHHS
John Fanning, LLB Division of Data Policy,
Office of the Assistant Secretary for
Planning and Evaluation, DHHS is one of
the chief architects of the pending HIPAA
required Privacy Regulations. For the
seminar, Mr. Fanning presented an overview
of the underlying HIPAA legislation and
the impetus behind the bill in the context
of Administrative Simplification. Mr.
Fanning discussed:
- the Department’s principles
with respect to privacy,
- additional background concerning state
and Federal law, who and what are covered
under the proposed privacy regulations
including basic requirements, rights
for individuals under the rule,
- disclosure provisions,
- use and disclosure for treatment,
- payment and health care operations,
and
- other allowable disclosures without
patient consent.
Finally, Mr. Fanning outlined internal
practices and administrative procedures
for handling protected health information
and discussed issues of preemption of
state laws, as well as additional uses
without patient authorization. Several
questions were raised concerning the scope
and nature of "contracting"
and "business partner agreement"
requirements under the data security and
privacy rules.
MAJ. Catherine Beck
U.S. Army Medical Research & Materiel
Command
Major Catherine Beck, Information Sciences
Division, Telemedicine and Advanced Technology
Research Center, U.S. Army Medical Research
and Materiel Command described recent
videotape documentation guidelines, and
the Department of Defense Healthcare Information
Assurance program. Under her leadership,
guidance concerning videotape documentation
was released recently in the Public Federal
Register. These guidelines underscored
that while videotapes are not part of
the medical record, when an episode of
care is documented, the patient must provide
prior written consent for the taping unless
the consultation is for the documentation
of abuse or neglect. After standard documentation
is complete, the tape should be erased
unless exempted for some specific reason.
Exceptions to prohibitions against retaining
tapes may be made for educational cases
if Privacy Act regulations are followed.
Moreover, the guidelines do not apply
to electronic images such as radiographs
and digital photos for which documentation
processes are already in place.
Following this discussion, Maj. Beck
briefed the group on the DoD Healthcare
Information Assurance program which was
Congressionally funded in 1998 to enhance
the protection and privacy of electronic
healthcare information among military
health systems. Program goals are to ensure
compliance with HIPAA, ensure security
of current systems, and plan for the security
of future healthcare systems. Information
assurance regulations will be identified,
identification of gaps between HIPAA and
current DoD regulations will be made,
the impact on echelons of care will be
assessed, and risk assessment capabilities
built. Following these exercises, security
simulation models will be built, Risk
Information Management Resources (RIMR)
established and Medical Information Security
Readiness Teams fielded.
Neal Neuberger
Health Tech Strategies, LLC
Neal Neuberger, President of Health Tech
Strategies, LLC and seminar producer on
behalf of OAT, concluded the day by briefing
attendees about pending legislation relating
to privacy in the 106th Congress and at
the state level. Mr. Neuberger outlined
the impetus behind some pending bills.
These include legal deadlines under the
1996 HIPAA law; DHHS’ preference
for further Congressional action; the
EU Data Directive of 1995; absence of
a comprehensive Federal privacy law; growth
of unsecured IT projects in healthcare;
scientific developments in the Human Genome
Project and others. Mr. Neuberger discussed
some of the hundreds of different state
laws that may necessitate the need for
a uniform national approach. He then described
similarities and dissimilarities (areas
of contention) in the leading Congressional
measures by Senators Leahy (S.573), Jeffords
(S.578), and Bennett (S.881). Outstanding
issues include:
- how to deal with issues of preemption,
- parental notification and minors
rights,
- law enforcement access to records,
- how research organizations will be
covered,
- cope and reach of provisions,
- how the provisions will be enforced,
and
- the degree to which patients will
be allowed "private rights of action"
which may arise out of security breeches.
Neuberger discussed the outlook and
prospects for additional legislation during
the second session of the 106th Congress,
just as lead members and staff are analyzing
pending data security and privacy rules
to determine if additional legislation
is needed.
|